Date: Tue, 25 Aug 2015 16:49:44 +0000 From: Tristan Cacqueray <tdecacqu@...hat.com> To: oss-security@...ts.openwall.com Subject: [OSSA 2015-015] Nova instance migration process does not stop when instance is deleted (CVE-2015-3241) ===================================================================================== OSSA-2015-015: Nova instance migration process does not stop when instance is deleted ===================================================================================== :Date: August 25, 2015 :CVE: CVE-2015-3241 Affects ~~~~~~~ - Nova: versions through 2014.2.3 and 2015.1 versions through 2015.1.1 Description ~~~~~~~~~~~ George Shuklin from Webzilla LTD reported a vulnerability in Nova migration process. By resizing and deleting an instance repeatedly an authenticated user may overcome his quota and overload Nova computes node resulting in a denial of service attack. All Nova setups are affected. Patches ~~~~~~~ - https://review.openstack.org/208876 (Juno) - https://review.openstack.org/214528 (Juno) - https://review.openstack.org/213234 (Kilo) - https://review.openstack.org/209856 (Kilo) - https://review.openstack.org/194861 (Liberty) - https://review.openstack.org/192986 (Liberty) Credits ~~~~~~~ - George Shuklin from Webzilla LTD (CVE-2015-3241) References ~~~~~~~~~~ - https://launchpad.net/bugs/1387543 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3241 Notes ~~~~~ - This fix requires oslo.concurrency >= 1.8.2 for Kilo and >= 2.3.0 for Liberty. Juno fix embeds a patched version of oslo.concurrency. - This fix will be included in future 2014.2.4 (juno) and 2015.1.2 (kilo) releases. -- Tristan Cacqueray OpenStack Vulnerability Management Team Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ